Bug 1197235

Summary: ausearch can't parse time in non-US locale and UTF-8 enconding
Product: Red Hat Enterprise Linux 6 Reporter: Petr Lautrbach <plautrba>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: omoris
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.4.5-1.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1286633 (view as bug list) Environment:
Last Closed: 2016-05-11 00:01:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
The list of locales for which ausearch does not parse time none

Description Petr Lautrbach 2015-02-27 21:46:39 UTC 
Description of problem:

# export LANG="ja_JP.UTF8"

# python -c 'import locale; locale.setlocale(locale.LC_ALL, ""); import time; print time.strftime("%x %X", time.localtime(time.time()))'
2015年02月27日 22時38分08秒

# /sbin/ausearch -m avc -ts 2015年02月27日 22時38分08秒
Invalid start time (22時38分08秒). Hour, Minute, and Second are required.



Version-Release number of selected component (if applicable):
audit-2.3.7-5.el6.x86_64

How reproducible:
always
Comment 1 Steve Grubb 2015-10-13 15:42:21 UTC 
Increased buffer size in upstream commit 1069.
Comment 4 Ondrej Moriš 2016-03-22 12:40:16 UTC 
I did a simple test to check ausearch time parsing for all possible locales:

# to list broken locales
for L in $(locale -a); do
  export LANG=$L; 
  D=$(date "+%x"); 
  T=$(date "+%X"); 
  auditctl -m "$L"; 
  sleep 1; 
  ausearch -r -ts $D $T -m USER >/dev/null 2>&1 || echo "$L|$D|$T|$(date)|"; 
  # moreover it is necessary to check that only a single event is found
done; 
 
First of all, ja_JP.UTF8 is definitely fixed now. But for quite a few other locales ausearch does not parse time correctly. From 735 locales, 219 seem to have issues. From what I see time looks strange in many cases. For instance:

# export LANG=mt_MT.iso88593
# date
Tli Mar 22 12:15:05 CET 2016
# date "+%x"
it-Tlieta, 22 ta Mar, 2016
# date "+%X"
12:15:04  CET

Clearly CET in local time is not expected. This kind of errors is most likely glibc bug. But there are other cases where everything looks perfectly fine but ausearch still will not parse it correctly:

# export LANG=sl_SI
# date 
tor mar 22 12:16:54 CET 2016
# date "+%x"
22. 03. 2016
# date "+%X"
12:16:53

in this case ausearch cannot parse date:

# ausearch -r -ts 22. 03. 2016 12:16:53   
Invalid start date (22.). Month, Day, and Year are required.

The list of all broken locales can is attached to this bugzilla, format of the file is as follows:

$LANG|$(date "+%x")|$(date "+%X")|$(date)

I consider this bug to be verified but we should think about other issues in the future, I will open a bug to track them.
Comment 5 Ondrej Moriš 2016-03-22 12:42:45 UTC 
Created attachment 1139043 [details]
The list of locales for which ausearch does not parse time
Comment 6 Steve Grubb 2016-03-22 17:55:55 UTC 
Thanks for testing. A new bug is not needed. There is already bug #1286633 that this exact problem was reported on. You might just attach the findings as a reminder.
Comment 7 Steve Grubb 2016-03-22 18:36:16 UTC 
In looking at the case of LANG=sl_SI above, the issue is the spaces. If you do this:

ausearch --start '22. 03. 2016' 14:00:00

It works fine. The time and date values need quoting so that its understood to be one argument to --start rather than 3. I wonder if that would clear up more of the test cases?
Comment 8 Steve Grubb 2016-03-22 18:40:10 UTC 
# ausearch --start "`date "+%x"`" "`date "+%X"`"
Comment 9 Ondrej Moriš 2016-03-23 14:39:39 UTC 
Clearly, you are right Steve, with quoting the number of problematic locales decreases to 141. Moreover, 117 of them are "CET" (in time) issues mentioned above. I will update BZ#1286633.

Regarding verification of this bug - successfully reproduced and verified:

OLD (audit-2.3.7-5.el6)
=======================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: LANG ja_JP.UTF8
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Export LANG as ja_JP.UTF8 (Expected 0, got 0)
:: [   PASS   ] :: Audit user message (Expected 0, got 0)
:: [   FAIL   ] :: Searching audit log (Expected 0, got 1)
:: [   PASS   ] :: Single event should be reported (Assert: '1' should equal '1')
:: [   FAIL   ] :: File '/var/tmp/tmp.uKMlTUWRtD' should contain 'msg='ja_JP.UTF8' 
:: [   FAIL   ] :: File '/var/tmp/tmp.uKMlTUWRtD' should not contain 'Invalid start time' 
:: [ 15:37:22 ] :: T="15時37分19秒" D="2016年03月23日"
:: [ 15:37:22 ] :: date="2016年  3月 23日 水曜日 15:37:22 CET"

# ausearch -r -m USER -ts "2016年03月23日" "15時37分19秒"'
Invalid start time (15時37分19秒). Hour, Minute, and Second are required.

New (audit-2.4.5-2.el6)
=======================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: LANG ja_JP.UTF8
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   PASS   ] :: Export LANG as ja_JP.UTF8 (Expected 0, got 0)
:: [   PASS   ] :: Audit user message (Expected 0, got 0)
:: [   PASS   ] :: Searching audit log (Expected 0, got 0)
:: [   PASS   ] :: Single event should be reported (Assert: '1' should equal '1')
:: [   PASS   ] :: File '/var/tmp/tmp.XIRzh2fMYX' should contain 'msg='ja_JP.UTF8' 
:: [   PASS   ] :: File '/var/tmp/tmp.XIRzh2fMYX' should not contain 'Invalid start time' 
:: [ 15:32:19 ] :: T="15時32分17秒" D="2016年03月23日"
:: [ 15:32:19 ] :: date="2016年  3月 23日 水曜日 15:32:19 CET"

# ausearch -r -m USER -ts "2016年03月23日" "15時32分17秒"'
type=USER msg=audit(1458743537.177:36681): user pid=23217 uid=0 auid=0 ses=2077 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='ja_JP.UTF8 exe="/sbin/auditctl" hostname=? addr=? terminal=pts/3 res=success'
Comment 11 errata-xmlrpc 2016-05-11 00:01:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0867.html